systembc | ca958072c2483f5cfab83972b3e5a25a163eed2d0d6df7d310ddf200a6fec53c

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-04-2023 09:14

Target

84499558c48c4fdebac20cab68253aa7.exe
Size

228KB
MD5

84499558c48c4fdebac20cab68253aa7
SHA1

d4518c621d32ebc483a8f0761cf6ed0fe3c7b8ce
SHA256

ca958072c2483f5cfab83972b3e5a25a163eed2d0d6df7d310ddf200a6fec53c
SHA512

00ad7c29108eb787d0283bb6a6c2955ff3b4a64254d03767c1c21e8bf3a1e14149958c9de8f4fd2f6489972b4573b07abc18a3bc2e96cba5fe2d4852d204d65a
SSDEEP

3072:psLU9af5Y43YGpnzljr0E8aj8G9Ku+oukzuhWkiWBkOuRGK:GL2O3YGpnzlFBj59zukihIpjcK

Score

10^/10

systembc trojan

Family

systembc

109.205.214.18:443

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

ccoppjj.exe

pid process

1764 ccoppjj.exe

pid	process
1764	ccoppjj.exe

Drops file in Windows directory 2 IoCs

Processes:

84499558c48c4fdebac20cab68253aa7.exe

description	ioc	process
File created	C:\Windows\Tasks\ccoppjj.job	84499558c48c4fdebac20cab68253aa7.exe
File opened for modification	C:\Windows\Tasks\ccoppjj.job	84499558c48c4fdebac20cab68253aa7.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

84499558c48c4fdebac20cab68253aa7.exe

pid process

1500 84499558c48c4fdebac20cab68253aa7.exe

pid	process
1500	84499558c48c4fdebac20cab68253aa7.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1440 wrote to memory of 1764	1440	taskeng.exe	ccoppjj.exe
PID 1440 wrote to memory of 1764	1440	taskeng.exe	ccoppjj.exe
PID 1440 wrote to memory of 1764	1440	taskeng.exe	ccoppjj.exe
PID 1440 wrote to memory of 1764	1440	taskeng.exe	ccoppjj.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {45090914-468F-4883-A28D-A99DBB9B8C43} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1440

C:\ProgramData\fbcrwn\ccoppjj.exe
C:\ProgramData\fbcrwn\ccoppjj.exe start
2⤵
- Executes dropped EXE
PID:1764

C:\ProgramData\fbcrwn\ccoppjj.exe
Filesize
228KB

MD5
84499558c48c4fdebac20cab68253aa7

SHA1
d4518c621d32ebc483a8f0761cf6ed0fe3c7b8ce

SHA256
ca958072c2483f5cfab83972b3e5a25a163eed2d0d6df7d310ddf200a6fec53c

SHA512
00ad7c29108eb787d0283bb6a6c2955ff3b4a64254d03767c1c21e8bf3a1e14149958c9de8f4fd2f6489972b4573b07abc18a3bc2e96cba5fe2d4852d204d65a

Download Submit
C:\ProgramData\fbcrwn\ccoppjj.exe
Filesize
228KB

MD5
84499558c48c4fdebac20cab68253aa7

SHA1
d4518c621d32ebc483a8f0761cf6ed0fe3c7b8ce

SHA256
ca958072c2483f5cfab83972b3e5a25a163eed2d0d6df7d310ddf200a6fec53c

SHA512
00ad7c29108eb787d0283bb6a6c2955ff3b4a64254d03767c1c21e8bf3a1e14149958c9de8f4fd2f6489972b4573b07abc18a3bc2e96cba5fe2d4852d204d65a

Download Submit
memory/1500-55-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/1500-56-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1764-70-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download